JP6169954B2 - Service estimation apparatus and method - Google Patents

Description

  The present invention relates to a technique for estimating a communication service used by a user.

  In recent years, with the spread of smartphones and the increase in communication speed, characteristics of traffic flowing through a mobile network, such as an increase in the number of volumes and sessions, communication synchronization, and the like, have changed greatly. This change in traffic characteristics causes a failure in network equipment. In order to prevent such failures, it is necessary to analyze in advance the characteristics of communication traffic that occurs when using services and applications, predict the impact on facilities, and make appropriate facility plans. Here, Patent Document 1 that discloses a technique for monitoring traffic is known.

  Patent Document 1 discloses a technology of a traffic monitoring apparatus that can accurately determine a feature type by using a plurality of feature information for determination in traffic monitoring. In this traffic monitoring apparatus, the measurement function unit controls the measurement of the measurement function unit by the measurement control unit, the traffic is classified into three types by the traffic input unit, and the traffic to be observed and the teacher traffic classified by the feature acquisition unit The feature information and teacher information are extracted from the information, the teacher information acquisition unit converts the teacher information into evaluation teacher information, and the classification is based on the feature information and the evaluation teacher information input by the traffic classification function unit. The traffic information classified according to the estimated type is stored in the classification information storage unit, and the traffic is output as an output signal together with the teacher information and the control signal from the traffic output unit in accordance with the control signal.

JP 2013-127504 A

However, the technique of Patent Document 1 classifies traffic, but cannot identify the contents of the service.
In addition, conventional session-oriented (L5 or higher) traffic analysis has become difficult due to encryption of communication from the viewpoint of privacy protection and the like, and the use of a communication protocol unique to OTT.

  Therefore, a technique for analyzing such traffic and estimating a service used by a user is desired.

  An object of this invention is to provide the service estimation apparatus and method which can estimate the media classification of the communication service which the user is utilizing.

Specifically, the following solutions are provided.
(1) A service estimation device that estimates a media type of a communication service being used based on communication traffic between a user terminal and a server, and is supported by the domain name of the communication service and the communication service Based on the media type storage means for storing the media type in association with each other, the response acquisition means for acquiring a response in the communication between the user terminal and the DNS server, and the response acquired by the response acquisition means, the domain Extraction means for extracting a name and an IP address, storage control means for associating the domain name extracted by the extraction means with the IP address and storing them in a DNS map storage means, the user terminal and the server Session acquisition means for acquiring a communication session between Analyzing the communication session acquired by the session acquisition means, and separating the communication media from a call flow constituting the communication session; and the communication traffic of the communication media sorted by the media sorting means Session feature value calculation means for calculating communication feature values of the classified communication media, and the DNS map storage based on the IP address used for the communication session acquired by the session acquisition means The domain name associated in the means is acquired, the media type associated in the media type storage means is acquired based on the acquired domain name, and the communication feature amount of the acquired media type , By the session feature amount calculation means Calculated by comparing the communication characteristic quantity, the service estimating device and a media type estimating means for estimating the media type of the communication session.

  According to the configuration of (1), the service estimation device includes media type storage means for storing the domain name of the communication service and the media type supported by the communication service in association with each other, the user terminal, the DNS server, In this communication, a response is acquired, a domain name and an IP address are extracted based on the acquired response, and the extracted domain name and the IP address are associated with each other and stored in the DNS map storage unit. Then, the service estimation device acquires a communication session between the user terminal and the server, analyzes the acquired communication session, classifies the communication media from a call flow constituting the communication session, and determines the communication traffic of the classified communication media The domain name associated with the DNS map storage means based on the IP address used for the acquired communication session, and the acquired domain Based on the name, the media type associated in the media type storage unit is acquired, the communication feature amount of the acquired media type is compared with the acquired communication feature amount, and the media type of the communication session is estimated.

That is, the service estimation apparatus according to (1) analyzes the communication traffic of the communication media in the communication session, and estimates the media type of the communication service based on the analyzed communication feature amount.
Therefore, the service estimation apparatus according to (1) can estimate the media type of the communication service used by the user. As a result, the service estimation apparatus can provide effective information for network facility failure suppression, occurrence cause investigation, and network facility planning.

  (2) The memory further comprises valid time extraction means for extracting a valid time indicating a time during which the association between the domain name and the IP address is valid based on the response acquired by the response acquisition means, The control means stores the effective time extracted by the effective time extraction means together with the domain name and the IP address in the DNS map storage means, and the media type estimation means is obtained by the session acquisition means. The service according to (1), wherein when the communication session is within the valid time stored in the DNS map storage unit, the media type is estimated by the domain name acquired based on the DNS map storage unit. Estimating device.

  Therefore, the service estimation apparatus according to (2) can accurately estimate the media type of the communication service used by the user. As a result, the service estimation apparatus can provide more effective information for network facility failure suppression, occurrence cause investigation, and network facility planning.

  (3) A method executed by the service estimation apparatus according to (1), in which the response acquisition unit acquires a response in communication between the user terminal and the DNS server, and the extraction unit includes An extraction step of extracting a domain name and an IP address based on the response acquired by the response acquisition step, and the storage control means includes the domain name and the IP address extracted by the extraction step. Correspondingly, a storage control step for storing in the DNS map storage means, a session acquisition step for the session acquisition means to acquire a communication session between the user terminal and the server, and the media sorting means, The communication set acquired by the session acquisition step. A media classification step of analyzing a communication session and classifying communication media from a call flow constituting the communication session, and the session feature amount calculating means analyzes the communication traffic of the communication media sorted by the media classification step. , A session feature amount calculating step for calculating the communication feature amount of the separated communication media, and the media type estimation means based on the IP address used for the communication session acquired by the session acquisition step, The domain name associated in the DNS map storage unit is acquired, the media type associated in the media type storage unit is acquired based on the acquired domain name, and the media type of the acquired media type is acquired. Communication features and the session features A media type estimating step of comparing the communication feature amount calculated by the collection amount calculating step and estimating the media type of the communication session.

  Therefore, the method according to (3) can estimate the media type of the communication service used by the user. As a result, the method according to (3) can provide effective information for network facility failure suppression, occurrence cause investigation, and network facility planning.

  According to the present invention, the media type of the communication service used by the user can be estimated. Furthermore, it is possible to analyze the communication feature quantity of encrypted traffic or traffic with unknown specifications, and estimate the service being used. Further, the service is estimated based on the communication session within the valid time. As a result, the present invention can provide information useful for network facility fault suppression, occurrence cause investigation, and network facility planning.

It is a figure for demonstrating the outline | summary of the estimation of the service classification which concerns on one Embodiment of this invention. It is a figure which shows the structure of the service estimation apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of media classification DB by the service estimation apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the DNS map by the service estimation apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the DNS response by the service estimation apparatus which concerns on one Embodiment of this invention. It is a figure explaining the example of the call flow in a communication session. It is a figure for demonstrating the communication feature-value of audio | voice communication. It is a figure for demonstrating the communication feature-value of moving image communication. It is a figure for demonstrating the communication feature-value of texting. It is a figure for demonstrating the communication feature-value of background communication. It is a figure for demonstrating the communication feature-value of communication by superimposition of several media. It is a figure for demonstrating the communication feature-value of communication by multiple flows. It is a flowchart which shows the process of the service estimation apparatus which concerns on one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram for explaining an outline of service type estimation according to an embodiment of the present invention. Although FIG. 1 shows one DNS server 30, server 40, and user terminal 50, the present invention is not limited to this, and a plurality of DNS servers, servers, and user terminals 50 may be included. The server 40 is a server that provides a service, such as a mail server that provides a mail service, an application server that provides application processing, a content server that provides content (such as text and images), and a Web server. .

First, in order to perform a communication session with the server 40 via the communication network 70, the user terminal 50 requests the DNS server 30 for an inquiry for name resolution to check the IP address of the server 40. Inquiries include not only queries by domain name, but also queries by host name + domain name.
In response to the inquiry request, the DNS server 30 obtains the IP address of the server 40 and returns a response to the user terminal 50. The service estimation device 10 extracts the domain name and IP address included in the answer based on the response from the DNS server 30 and stores them as the DNS map 20.

Next, the user terminal 50 requests a service from the server 40. The server 40 returns a response to the service request to the user terminal 50.
Next, the service estimation apparatus 10 analyzes the communication traffic in the communication session and calculates the communication feature amount of the traffic.
Next, the service estimation device 10 acquires a domain name associated with the DNS map 20 based on the IP address used for the communication session, and associates with the media type DB 21 based on the acquired domain name. The acquired media type is acquired, the communication feature amount of the acquired media type is compared with the calculated communication feature amount, and the media type of the communication session is estimated.
In this way, the service estimation device 10 can use the service that is actually used by the user even when the payload part of the Layer 4 of the OSI reference model is concealed by the concealment technique represented by SSL or the like. The media type can be estimated.

  FIG. 2 is a diagram showing a configuration of the service estimation apparatus 10 according to an embodiment of the present invention. The service estimation apparatus 10 includes a DNS map 20, a media type DB (database) 21 as media type storage means, a response acquisition means 11, an extraction means 12, an effective time extraction means 13, a storage control means 14, a session An acquisition unit 15, a media classification unit 16, a session feature amount calculation unit 17, and a media type estimation unit 18 are provided. Hereinafter, each means will be described in detail.

  The media type DB 21 is a service type of a communication service, a media type supported by the service type of the communication service, and a communication feature amount (for example, a communication feature indicating a pattern as teacher information as shown in FIGS. 7 to 12). Amount) is stored in advance in association with each other as shown in FIG.

  The DNS map 20 stores the IP address of the user terminal 50 and the domain name and IP address of the server 40 in association with each other as shown in FIG.

  The response acquisition unit 11 acquires a response in communication between the user terminal 50 and the DNS server 30. Specifically, the response acquisition unit 11 acquires a response of an answer from the DNS server 30 to the user terminal 50 in response to an inquiry request from the user terminal 50 to the DNS server 30. That is, the user terminal 50 makes an inquiry request for obtaining the IP address of the server 40 to the DNS server 30 in order to communicate with the server 40. In response to this inquiry request, the DNS server 30 obtains the IP address of the server 40 and sends a response to the user terminal 50. The response acquisition unit 11 acquires a DNS response that is a response to this answer.

  The extraction unit 12 extracts a domain name and an IP address based on the response acquired by the response acquisition unit 11. Specifically, based on the DNS response acquired by the response acquisition unit 11, the extraction unit 12 makes an inquiry to the DNS server 30, and based on the response that the DNS server 30 answers to the user terminal 50, A domain name and an IP address are extracted.

  The storage control unit 14 associates the domain name extracted by the extraction unit 12 with the IP address and stores it in the DNS map 20. Specifically, the storage control unit 14 creates the DNS map 20 in which the domain name of the server 40 is associated with the IP address of the server 40. If the correspondence between the domain name and the IP address has an expiration date, and the correspondence is frequently changed, the storage control unit 14 uses the latest information on the correspondence between the domain name and the IP address. The DNS map 20 may be updated.

  The session acquisition unit 15 acquires a communication session between the user terminal 50 and the server 40. Specifically, the session acquisition unit 15 acquires a packet between application processes transmitted from the user terminal 50 to the server 40 as a communication session to be estimated.

  The media sorting unit 16 analyzes the communication session acquired by the session acquisition unit 15 and sorts the communication media from the call flow constituting the communication session. Specifically, as shown in FIG. 6 to be described later, the media sorting unit 16 is configured to send a signaling part whose pattern and number of bytes are substantially constant from a call flow constituted by a communication start request to a communication end response, and a communication medium. And media (upstream) and media (downstream).

  The session feature amount calculating unit 17 analyzes the communication traffic of the communication media sorted by the media sorting unit 16 and calculates the communication feature amount of the sorted communication media. The communication feature value calculated by the session feature value calculation means 17 has features as shown in FIGS.

  The session feature amount calculation means 17 analyzes the vertical direction in units of TCP sessions, packet size distribution, distribution of packet arrival intervals by packet size, frequency of packet arrival intervals by packet size, and packets per unit time by packet size. The communication feature amount such as the total size per unit time by number and packet size is calculated.

  The media type estimation unit 18 acquires a domain name associated with the DNS map 20 based on the IP address used in the communication session acquired by the session acquisition unit 15, and based on the acquired domain name, The media type associated in the media type DB 21 is acquired, and the communication feature amount of the acquired media type is compared with the communication feature amount calculated by the session feature amount calculating unit 17 to estimate the media type of the communication session. . Specifically, the media type estimation means 18 acquires a domain name (for example, example1.com) associated with the DNS map 20 based on the IP address, and in the media type DB 21 based on the acquired domain name. The communication feature amount of text and moving image is acquired as the associated media type. For example, the media type estimation unit 18 estimates the service type of the acquired communication session as a moving image by comparing the communication feature amount of the acquired media type with the communication feature amount calculated by the session feature amount calculation unit 17. To do. As described above, the media type estimation unit 18 collates the communication feature amount of the communication session with the teacher information stored in the media type DB 21, for example, the patterns of FIGS. 7 to 12, and is used by the user in the communication session. Estimated media type.

  The media type estimation means 18 may estimate the service content by a combination of media types in order to estimate the service content that cannot be specified by a metric such as an average. For example, when there is a feature of voice communication only in the downlink, the media type estimation unit 18 estimates the service content as music distribution. For example, when there is a voice communication characteristic in the vertical direction, the media type estimation unit 18 estimates the service content as a voice call. For example, when there is a feature of moving image communication only in downlink, the media type estimating means 18 estimates the service content as moving image viewing. The media type estimation means 18 estimates the service content as a video call when, for example, there are voice / video communication characteristics in both the vertical direction. Teacher information for estimation may be created in advance and stored in the media type DB 21.

Further, the valid time extracting unit 13 extracts a valid time indicating a time during which the association between the domain name and the IP address is valid based on the DNS response acquired by the response acquiring unit 11. The storage control unit 14 stores the effective time extracted by the effective time extraction unit 13 in the DNS map 20 together with the domain name and the IP address.
The media type estimation unit 18 estimates the media type based on the DNS map 20 and the media type DB 21 when the communication session acquired by the session acquisition unit 15 is within the valid time stored in the DNS map 20.

  FIG. 3 is a diagram showing an example of the media type DB 21 by the service estimation apparatus 10 according to an embodiment of the present invention. As shown in FIG. 3, the media type DB 21 includes a domain name (representing a service type), a type of media provided by a communication service corresponding to the domain name, and a communication feature amount (for example, shown in FIGS. 7 to 12). Are stored in association with each other in advance.

FIG. 4 is a diagram illustrating an example of the DNS map 20 by the service estimation apparatus 10 according to an embodiment of the present invention. As shown in FIG. 4, the DNS map 20 stores the domain name of the server 40, the IP address of the server 40, the DNS response time, and the TTL for each IP address of the user terminal 50.
The IP address of the user terminal 50, the domain name of the server 40, and the IP address of the server 40 are extracted by the extracting unit 12, and the DNS response time and TTL (Time to live) are extracted by the valid time extracting unit 13.

  FIG. 5 is a diagram illustrating an example of a DNS response by the service estimation apparatus 10 according to an embodiment of the present invention. The example of FIG. 5 is a diagram illustrating that the user terminal 50 communicates with the server 40 that provides the service based on the DNS answer acquired by making an inquiry to the DNS server 30. In FIG. 5, the user terminal 50 makes a DNS inquiry to the DNS server 30, acquires the IP address of the server 40 that provides the service by a DNS response, and sends the server 40 that provides the service based on the acquired IP address. Connect and receive service from the server 40.

  FIG. 6 is a diagram illustrating an example of a call flow in a communication session. The example of FIG. 6 is an example in which a call flow from a communication start request to a call end response is performed between the user terminal 50 and the server 40. From the call flow, signaling (communication start request to parameter exchange, communication end request and communication end response) having a substantially constant pattern and number of bytes and media (media (upstream) and media (downstream)) are separated.

  FIG. 7 is a diagram for explaining communication feature amounts of voice communication. The example of FIG. 7 is an example in which voice communication is represented with time on the horizontal axis and the amount of communication data (number of bytes) on the vertical axis. Since voice communication is communication having a certain amount of communication data, an envelope P101 is calculated as a communication feature amount by media envelope analysis.

  FIG. 8 is a diagram for explaining communication feature amounts of moving image communication. The example of FIG. 8 is an example in which video communication is represented with the horizontal axis representing time and the vertical axis representing the amount of communication data (number of bytes). Since moving image communication is communication in which the amount of communication data is large and the amount of communication data changes, the envelope P102 is calculated as a communication feature amount by media envelope analysis.

  FIG. 9 is a diagram for explaining the communication feature amount of texting. The example of FIG. 9 is an example in which texting is represented with time on the horizontal axis and the amount of communication data (number of bytes) on the vertical axis. Since texting is a small amount of communication data and is a one-time communication, the envelope P103 is calculated as a communication feature amount by media envelope analysis.

  FIG. 10 is a diagram for explaining the communication feature amount of the background communication. The example of FIG. 7 is an example in which background communication is represented with time on the horizontal axis and the amount of communication data (number of bytes) on the vertical axis. Since background communication has a small amount of communication data and is regular communication, the envelope P104 is calculated as a communication feature amount by media envelope analysis.

  FIG. 11 is a diagram for explaining communication feature amounts of communication by superimposing a plurality of media. In the example of FIG. 11, video communication (communication with a large communication data amount and communication data amount changing) and background communication (communication with a small communication data amount and regular communication) are superimposed. It is an example of communication.

  FIG. 12 is a diagram for explaining communication feature amounts of communication using a plurality of flows. The example of FIG. 12 is an example of parallel communication using two ports for speeding up. In the case of parallel communication for speeding up, communication data correlates in time.

  FIG. 13 is a flowchart showing processing of the service estimation apparatus 10 according to an embodiment of the present invention. The service estimation device 10 includes hardware included in a computer and its peripheral devices, and software that controls the hardware. The following processing is executed by a control unit (for example, the CPU of the service estimation device 10) according to predetermined software. It is processing to do.

  In step S101, the CPU (response acquisition unit 11, extraction unit 12, valid time extraction unit 13, storage control unit 14) acquires a DNS response, extracts a domain name and an IP address, and extracts a domain name and an IP address. Are associated with each other and stored in the DNS map 20.

  In step S <b> 102, the CPU (session acquisition unit 15, media sorting unit 16) acquires a communication session, analyzes the acquired communication session, and sorts the communication media from a call flow constituting the communication session.

  In step S103, the CPU (session feature amount calculation means 17, media type estimation means 18) analyzes the communication traffic of the classified communication media and calculates the communication feature values of the classified communication media. Next, the CPU acquires the domain name associated in the DNS map 20 based on the IP address used for the communication session, and the media associated in the media type DB 21 based on the acquired domain name. The type is acquired, the communication feature amount of the acquired media type is compared with the calculated communication feature amount, and the media type of the communication session is estimated.

According to the present embodiment, the service estimation apparatus 10 includes a media type DB 21 that stores a domain name of a communication service and a media type supported by the communication service in association with each other, and includes a user terminal 50, a DNS server 30, and the like. In this communication, a response is acquired, a domain name and an IP address are extracted based on the acquired response, and the extracted domain name and the IP address are associated with each other and stored in the DNS map 20. And the service estimation apparatus 10 acquires the communication session between the user terminal 50 and the server 40, analyzes the acquired communication session, classifies the communication media from the call flow constituting the communication session, and sorts the communication media The communication traffic of the classified communication media is acquired, the domain name associated in the DNS map 20 is acquired based on the IP address used for the acquired communication session, and acquired. Based on the domain name, the media type associated in the media type DB 21 is acquired, and the communication feature amount of the acquired media type is compared with the acquired communication feature amount to estimate the media type of the communication session.
Therefore, the service estimation device 10 can estimate the media type of the communication service used by the user. As a result, the service estimation apparatus 10 can provide information that is effective for network facility failure suppression, occurrence cause investigation, and network facility planning.

  As mentioned above, although embodiment of this invention was described, this invention is not restricted to embodiment mentioned above. The effects described in the embodiments of the present invention are only the most preferable effects resulting from the present invention, and the effects of the present invention are limited to those described in the embodiments of the present invention. is not.

DESCRIPTION OF SYMBOLS 10 Service estimation apparatus 11 Response acquisition means 12 Extraction means 13 Effective time extraction means 14 Storage control means 15 Session acquisition means 16 Media classification means 17 Session feature-value calculation means 18 Media type estimation means 20 DNS map 21 Media type DB
30 DNS server 40 server 50 user terminal 70 communication network

Claims (3)

A service estimation device that estimates a media type of a communication service being used based on communication traffic between a user terminal and a server,
Media type storage means for storing a domain name of the communication service and a media type supported by the communication service in association with each other;
Response acquisition means for acquiring a response in communication between the user terminal and the DNS server;
Extraction means for extracting a domain name and an IP address based on the response acquired by the response acquisition means;
Storage control means for associating the domain name extracted by the extraction means with the IP address and storing them in a DNS map storage means;
Session acquisition means for acquiring a communication session between the user terminal and the server;
Analyzing the communication session acquired by the session acquisition means, and media separating means for separating communication media from a call flow constituting the communication session;
Session feature value calculating means for analyzing communication traffic of the communication media sorted by the media sorting means and calculating communication feature values of the sorted communication media;
Based on the IP address used for the communication session acquired by the session acquisition unit, the domain name associated in the DNS map storage unit is acquired, and based on the acquired domain name, the media The media type associated in the type storage unit is acquired, the communication feature amount of the acquired media type is compared with the communication feature amount calculated by the session feature amount calculation unit, and the communication session Media type estimation means for estimating the media type;
A service estimation apparatus comprising: Based on the response acquired by the response acquisition means, further comprising an effective time extraction means for extracting an effective time indicating a time during which the association between the domain name and the IP address is effective,
The storage control means stores the effective time extracted by the effective time extraction means together with the domain name and the IP address in the DNS map storage means,
The media type estimation unit is configured to acquire the domain acquired based on the DNS map storage unit when the communication session acquired by the session acquisition unit is within the valid time stored in the DNS map storage unit. Estimating the media type by name,
The service estimation apparatus according to claim 1. A method performed by the service estimation device according to claim 1,
A response acquisition step in which the response acquisition means acquires a response in communication between the user terminal and a DNS server;
An extracting step in which the extracting means extracts a domain name and an IP address based on the response acquired by the response acquiring step;
A storage control step in which the storage control means associates the domain name extracted in the extraction step with the IP address and stores it in the DNS map storage means;
A session acquisition step in which the session acquisition means acquires a communication session between the user terminal and the server;
A media sorting step in which the media sorting means analyzes the communication session acquired by the session acquiring step, and sorts the communication media from a call flow constituting the communication session;
A session feature amount calculating step for analyzing the communication traffic of the communication media sorted by the media sorting step, and calculating the communication feature amount of the sorted communication media;
The media type estimation unit acquires the domain name associated in the DNS map storage unit based on the IP address used in the communication session acquired by the session acquisition step, and acquires the domain Based on the name, the media type associated in the media type storage means is acquired, and the communication feature amount of the acquired media type and the communication feature amount calculated by the session feature amount calculating step A media type estimation step for comparing and estimating the media type of the communication session;
A method comprising:

Images